In addition to consulting services for PCI DSS we provide services for complying applications against PA DSS - Payment Application Data Security Standard (previously known as PABP - Payment Application Best Practices).
PA DSS applicable to - As the council states, "The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties."
Secure payment applications, when implemented in a PCI DSS compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks.
PA DSS Requirements
Requirements of the standard - NII helps organizations meet all the requirements of PA DSS given its background in application security audits and PCI DSS implementations. The requirements of the standard vary from encrypting sensitive traffic over public networks and non console administrative access to purging off sensitive data once used, logging payment application activity, ensuring updates to secure remote software and more provided in the 'Requirements and Security Assessment Procedures' document from the council's web site. Services and Benefits from NII:
NII offers the following services independently and collectively as part of the PA DSS implementation exercise.
- Identifying 'your' PA DSS requirements - Each payment application is unique, designed to cater to the requirements of specific credit card environment and processing channels. With different platforms, coding languages, integration approaches, hosting methodologies, and payment gateway interfaces, the challenges of securing all the components increase multifold. With NII's understanding of payment applications and the security requirements of credit card environments, a clear understanding and listing of specific PA DSS requirements becomes a simplified preliminary task. This exercise will typically result in designing the PA DSS Implementation Guide for the said payment application.
- Gap Analysis - This exercise would help identify the discrepancies between the current state and functioning of the payment application versus the minimum requirements of PA DSS. The gap analysis is taken upon as a thorough exercise beyond checklists to verify not only the requirements but also the alignment of the functionality with the requirements. The key benefit here is that the result of our analysis will focus on achieving optimized output from the software keeping the requirements of the standard into perspective.
- Designing Road map for Implementing Gaps - NII can assist the payment application teams along with all the stake owners to help prioritize the implementation efforts and close all the identified gaps commensurate with the expected levels of implementation and maturity.
- Source Code Review - This exercise includes reviewing the relevant modules of the application for controls considered/missed during the design phase of the application. Thorough threat modeling exercises precede our source code reviews and such an exercise is very effective in identifying serious programming errors which usually result in fault injection points within the application.
- Application Security Assessment - Application Security Assessment is designed to identify and assess threats to the organization through bespoke, proprietary applications or systems. We use the OWASP (Open Web Application Security Project) guidelines and the OSSTMM standard to build the assessment checklists. These applications may provide interactive access to potentially sensitive materials.More
- Coordination with PA DSS QSA - The entire PA DSS implementation exercise culminates with a Qualified Security Assessor (QSA) attesting the request for validation of the payment application. NII has tie ups with leading QSAs to facilitate and maintain the validation of the payment application.